Common Misconceptions on Cloud Security – Interview with Azure Expert Sasha Kranjac
Hi Sasha Kranjac, you are an internationally recognized Security and Azure Expert, Architect, and Instructor. We have a few questions for you.
It has previously been a problem for, for example, authorities to store in the cloud because they could not guarantee that servers within one’s own country. What is the development there?
The issue of data sovereignty and the physical location of cloud servers – that is, the servers where the data is processed and stored – has been a concern for many governments, including organisations, worldwide. The governments and organisations fear that if data is stored on servers located in a different country, the data may be, and in many cases is, subjected to different data protection and privacy laws, which could result in sensitive information being accessed or exposed to a third-party, without proper authorization and without possibility to prevent this to happen.
Nevertheless, cloud providers have recognized this problem and have responded by offering solutions to address this ever-present concern. For example, many cloud providers offer options to store data in specific geographic regions and allow customers to choose where their data is stored. These providers also offer extensive and comprehensive compliance certifications for various data protection and privacy regulations, such as GDPR, HIPAA, and FedRAMP, which may be required for government agencies. These also raise trust in cloud providers at organisations worldwide. Because, if some government trusts a cloud provider, and stores data at it, why wouldn’t an organisation do the same, right?
Furthermore, many cloud providers have implemented strong security measures, including multiple encryption options, various access controls methods and, of course, indispensable monitoring tools, to protect customer data from unauthorized access or exposure.
But let us take a step away and look at cloud providers’ business from a distance, to be able to spot one important premise of cloud usage: you become a customer of a cloud provider only when you trust that cloud provider. Once a customer lose trust, a cloud provider loses its customer, and it loses money. That is why cloud providers invest significant time and money in security of, and trust in their businesses.
I don’t think there exists a system that is completely, 100% secure. Given enough money and time (which is, again, money), every system can be breached, or security compromised – having enough money, you can buy enough time and knowledge to get to any data you want. It is known that vast majority of individuals and organisations trust cloud providers enough to entrust their data to them, where cloud providers have ensured customers have substantial data security mechanisms at their disposal. If a customer followed the best security practices, chances someone will get to their data is extremely small. Governments on the other hand, are not satisfied with these odds, no matter how small they are and, bound by local laws and regulations, often decide to decrease the possibility of losing the sensitive data further, near zero, by not storing sensitive data on someone else’s computer.
It is highly unlikely that governments will ever store their sensitive data in the cloud. General rule of thumb is the more sensitive data is, less likely that data will be stored at a cloud provider.
How secure is Azure compared to Google Drive etc.?
Microsoft OneDrive and Google Drive are both secure cloud storage solutions, and although they have similarities, they have somewhat different security features and capabilities. Both Microsoft and Google offer their cloud storage products in flavours suited for personal and business use, and while both cloud providers take security, privacy and data leakage very seriously, you should avoid putting sensitive data in the cloud without ensuring data confidentiality. While I use both, I’d like to give minor advantage to Microsoft due to Google’s past involvement with governments, and multiple data breaches, in 2014. and 2016.
Are there any common misconceptions when it comes to IT security?
Sure, there are numerous common misconceptions when it comes to IT security. One of the most common is “I’m too small to be a target”. Too many people and businesses believe that they are too small to be a target to cybercriminals. What they fail to understand, because not being informed well, is that today we face criminal ecosystems and rarely individual criminals. It is all about numbers: it does not matter if you are small or big. If you are not protected well enough, you will become a target precisely because you have weaker security defences.
Another common misconception is: “My data is safe in the cloud”. While cloud providers offer advanced and multiple security features, including encryption and access controls, it is still important to use strong passwords and two-factor authentication.
Do you think that awareness has increased as the threats have increased, or is it only a temporary increase when a hacker attack has just occurred?
While cloud security awareness has undoubtedly increased over the years, it has not increased enough. Cloud security awareness usually spikes in the aftermath of a high-profile data breach, or after media coverage of a security incident. When security incident happen, it often leads to increased media coverage and public attention, which in turn leads to a temporary increase in cloud security awareness. These events are just extremely small percentage of security breaches, while others never reach the public. Ordinary users’ data is breached, encrypted by ransomware and stolen daily, whereas organisations’ breaches are most likely swiped under the carpet, thanks to fear of losing customers, losing revenue, potential drop in stock prices and losing trust in business and investment. Don’t forget all security researchers or professionals are under non-disclosure agreement (I hope they are) which prevents them disclosing these matters to the public, which in turn, is not favourable to increasing security awareness. If all breaches were known to the public, I am confident we would have had significantly more secure computer systems much earlier.
Do you have any simple but good tips that everyone can do to increase IT security?
There are many, but I’d like to put emphasis on three.
First, one thing everyone can do right now, to increase the security significantly: use strong and unique passwords. Use strong, complex passwords that are difficult to guess, and use a different password for each account. I am not against using password managers, but I don’t use them as I don’t like to put all eggs in one basket.
Second, use two-factor or multi-factor authentication. Multi-factor authentication (MFA) adds an extra layer of security to your accounts by requiring a second factor of authentication in addition to your (strong) password. Even better, use Passwordless authentication, FIDO2 hardware keys or authenticator on your mobile phone, like Microsoft Authenticator, Google Authenticator or Yubico Authenticator.
Third, be wary of phishing emails. Do not click on links or download attachments from emails that you weren’t expecting, especially if they seem suspicious or come from an unfamiliar sender.
Not really a security thing, but please back up your important data regularly to ensure that you can recover it in the event of a security breach or hardware failure.
Because, there are two types of organisations (or individuals): the ones that have been breached and the ones that do not know they have been breached.
Azure Security Trainings
- SC-900: Microsoft Security, Compliance, and Identity Fundamentals
- AZ-500: Microsoft Azure Security Technologies
- SC-200: Microsoft Security Operations Analyst
- SC-300: Microsoft Identity and Access Management
- SC-400: Microsoftin informaation suojaamisen pääkäyttäjä
Webinar Series on Azure Security
- Moving your sensitive data and workloads to Azure securely
- Fundamentals for a successful and secure hybrid cloud
- Implementing ”Zero Trust” strategy in Microsoft cloud